Thanks for subscribing! We'll let you know how Passit is progressing.

Security Model

Sign Up /api/users/

E-mail
strongbad@homestarrunner.com
Password
hunter2
  • Generate RSA
  • Create public key '-----BEGIN PUBLIC KEY...'
  • Create private keys '-----BEGIN PRIVATE KEY...'
  • Encrypt Private Key with password 'hunter2' as '-----BEGIN ENCRYPTED PRIVATE KEY...'
  • Hash password 'hunter2' > 'some111hash121=='
POST
200 - Great Job!
  • Store e-mail address
  • Re-hash and store password
  • Store public key
  • Store private key

Authentication /api/user-public-auth/{email}/ and /api/auth/login/

E-mail
strongbad@homestarrunner.com
Password
hunter2
  • Hash password 'hunter2' with sal, alg, iterations from server > 'some111hash121==' Use defaults from libsodium.
  • Keep encrypted private key that could be decrypted with secret key (technically its base64 and not pem) '-----BEGIN ENCRYPTED PRIVATE KEY...'
GET user-public-auth
200 - Salt, alg, iterations
  • Retrieve public user info
 
POST login
200 - Encrypted private key and auth token
  • Use standard Django authentication where client-hashed password is the password
  • Retrieve encrypted private key

Create Secret /api/secrets

Secret Name
Spoiler
Create Secret
Soylent Green is people
  • Create new secret key using libsodium secret key (default alg)
  • Encrypt secret key with personal public key (ciphertext of key)
  • Encrypt secret with secret key (ciphertext of secret)
POST all ciphertext
201 - Great Success!
  • Store secret name
  • Store secret key ciphertext
  • Store secret ciphertext

Retrieve Secret /api/secrets/<secret_id>/

Secret Name
Spoiler
Create Secret
Soylent Green is people
  • Decrypt personal private key with master password
  • public key pair decrypt of secret key ciphertext
  • secret key decrypt of secret 'Soylent Green is people'
GET
200 - secret with ciphertext
  • Retrieve secret name
  • Retrieve secret key ciphertext
  • Retrieve secret ciphertext

Sharing Secrets

First, we create a group with its own public key pair. Then, we add a user to the group. Finally, we add the secret to the group.
Personal Private Key
Private key decrypts Group membership Secret key, which decrypts Group membership Private Key
Group Membership
  • Encrypted Secret Key
  • Encrypted Private Key
Group
  • Public Key
  • Conceptually a group has one private key - but it is not stored on the server unencrypted. The private key ciphertext must be copied in for each Group membership.
Group private key decrypts Secret key which decrypts secret ciphertext
Secret Ciphertext (One for each group the secret belongs to)